[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Guix Questions
|
From: |
Ludovic Courtès |
|
Subject: |
Re: GNU Guix Questions |
|
Date: |
Tue, 07 Mar 2017 14:57:54 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hi!
address@hidden skribis:
> * Does Guix defend against the variety of attacks described in the TUF
> threat model document? (described in link below) How resilient is it
> against key compromise? (TUF was designed from the ground up to
> provide a highly resilient and secure update framework as a drop in
> replacement to crappy standalone updaters - a problem that's become
> very serious for proprietary OSes. The security research and
> implementation behind it are an excellent rubric that one can apply to
> any updater/package manager.)
>
> https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
The short answer is: not yet.
The longer answer is that TUF is biased towards “traditional” package
managers where the main asset is a binary package archive.
Guix is conceptually a source-based package manager, so what we want to
authenticate is Git checkouts of Guix itself. TUF needs to be “ported”
to this model. We’ll address this hopefully within a few months, and
definitely by 1.0:
https://bugs.gnu.org/22883
Ludo’.
- GNU Guix Questions, bancfc, 2017/03/06
- Re: [Whonix-devel] GNU Guix Questions, ng0, 2017/03/06
- Re: [Whonix-devel] GNU Guix Questions, bancfc, 2017/03/06
- Re: [Whonix-devel] GNU Guix Questions, ng0, 2017/03/07
- Re: [Whonix-devel] GNU Guix Questions, bancfc, 2017/03/07
- Re: [Whonix-devel] GNU Guix Questions, ng0, 2017/03/10
- Re: [Whonix-devel] GNU Guix Questions, bancfc, 2017/03/13
- Re: [Whonix-devel] GNU Guix Questions, Ludovic Courtès, 2017/03/14
Re: GNU Guix Questions,
Ludovic Courtès <=